Configure the security token service (SharePoint Foundation 2010)

SharePoint 2010

Applies to: SharePoint Foundation 2010

Topic Last Modified: 2011-09-19

This article provides guidance to enable you to configure the Microsoft SharePoint Foundation 2010 security token service (STS). An STS is a specialized Web service that is designed to respond to requests for security tokens and provide identity management. The core functionality of every STS is the same, but the nature of the tasks that each STS performs depends on the role the STS plays in relation to the other STS Web services in your design.

In this article:

Web applications that use a security token service handle requests to issue, manage, and validate security tokens. Security tokens consist of a collection of identity claims (such as a user's name, role, or an anonymous identifier). Tokens can be issued in different formats, such as Security Assertion Markup Language (SAML) tokens. Security tokens can be protected with an X.509 certificate to protect the token's contents in transit and to enable validation of trusted issuers. For additional information about the Security Token Service, see Plan authentication methods (SharePoint Foundation 2010).

An Identity Provider-STS (IP-STS) is a Web service that handles requests for trusted identity claims. An IP-STS uses a database called an identity store to store and manage identities and their associated attributes. The identity store for an identity provider may be a simple, such as a SQL database table. An IP-STS may also use a complex identity store, such as Active Directory Domain Services (AD DS) or Active Directory Lightweight Directory Service (AD LDS).

An IP-STS is available to clients who want to create and manage identities, and to relying party applications that must validate identities presented to them by clients. Each IP-STS has a federated trust relationship with, and issues tokens to, federation partner Relying Party STS Web applications, each of which are referred to as an RP-STS. Clients can create or provision managed Information Cards (using a card selector such as CardSpace) that represent identities registered with the IP-STS. Clients interact with the IP-STS when they request security tokens that represent an identity that is contained in the identity store of the IP-STS. After authentication, the IP-STS issues a trusted security token that the client can present to a relying party application. Relying party applications can establish trust relationships with an IP-STS. This enables them to validate the security tokens issued by an IP-STS. After the trust relationship is established, relying party applications can examine security tokens presented by clients and determine the validity of the identity claims they contain.

A relying party STS (RP-STS) is an STS that receives security tokens from a trusted federation partner IP-STS. In turn, the RP-STS issues new security tokens to be consumed by a local relying party application. The use of RP-STS Web applications in federation with IP-STS Web applications enables organizations to offer Web single-sign-on (SSO) to users from partner organizations. Each organization continues to manage its own identity stores.

Perform the following procedures to use Windows PowerShell to configure a SharePoint claims-based Web application.

To configure a SharePoint claims-based Web application by using Windows PowerShell
  1. Verify that you meet the following minimum requirements: See Add-SPShellAdmin.

  2. On the Start menu, click All Programs.

  3. Click Microsoft SharePoint 2010 Products.

  4. Click SharePoint 2010 Management Shell.

  5. From the Windows PowerShell command prompt (that is, PS C:\>), create an x509Certificate2 object, as shown in the following example:

    $cert = New-Object
    System.Security.Cryptography.X509Certificates.X509Certificate2("path to cert file")
  6. Create a claim type mapping to use in your trusted authentication provider, as shown in the following example:

    New-SPClaimTypeMapping ""
    -IncomingClaimTypeDisplayName "EmailAddress" -SameAsIncoming
  7. Create a trusted login provider by first creating a value for the realm parameter, as shown in the following example:

    $realm = "urn:" + $env:ComputerName + ":domain-int"
  8. Create a value for the signinurl parameter that points to the Security Token Service Web application, as shown in the following example:

    $signinurl = "https://test-2/FederationPassive/"
  9. Create the trusted login provider, using the same IdentifierClaim value as in a claim mapping ($map1.InputClaimType), as shown in the following example:

    $ap = New-SPTrustedIdentityTokenIssuer -Name
    "WIF" -Description "Windows® Identity Foundation" -Realm
    $realm -ImportTrustCertificate $cert
    -ClaimsMappings $map1[,$map2..] -SignInUrl
    $signinurl -IdentifierClaim $map1.InputClaimType
  10. Create a Web application by first creating a value for the application pool account (for the current user), as shown in the following example:

    $account = "DOMAIN\" + $env:UserName
    The application pool account must be a managed account. To create a managed account, use New-SPManagedAccount.
  11. Create a value for the Web application URL ($webappurl = "https://" + $env:ComputerName), as shown in the following example:

    $wa = New-SPWebApplication -name "Claims WIF"
    -SecureSocketsLayer -ApplicationPool "SharePoint SSL"
    -ApplicationPoolAccount $account -Url $webappurl -Port 443
    -AuthenticationProvider $ap
  12. Create a site by first creating a claim object, as shown in the following example:

    $claim = New-SPClaimsPrincipal
    -TrustedIdentityTokenIssuerr $ap -Identity
  13. Create a site, as shown in the following example:

    $site = New-SPSite $webappurl -OwnerAlias
    $claim.ToEncodedString() -template "STS#0"

After you have configured a SharePoint claims-based Web application, edit the bindings.

To edit bindings
  1. Start IIS Manager by typing INETMGR at a command prompt.

  2. Go to the Claims Web Application site in IIS.

  3. In the left pane, right-click Claims Web Application, and select Edit Bindings.

  4. Select https and click Edit.

  5. Under SSL Certificate, select any listed certificate.

After you have configured a SharePoint Foundation 2010 claims-based Web application, edited the bindings and configured the Web.Config file, you can use the procedure in this section to configure a Security Token Service Web application.

To configure a Web application that uses an STS
  1. Open the Active Directory Federation Services (AD FS) s2.0Management console.

  2. In the left pane, expand Policy, and select Relying Parties.

  3. In the right pane, click Add Relying Party. This opens the Active Directory Federation Services (AD FS) 2.0 configuration wizard.

  4. On the first page of the wizard, click Start.

  5. Select Enter relying party configuration manually, and click Next.

  6. Type a relying party name and click Next.

  7. Make sure Active Directory Federation Services (AD FS) 2.0 Server Profile is selected, and click Next.

  8. If you are not planning to use an encryption certificate, click Next.

  9. Select Enable support for Web-browser-based identity federation.

  10. Type the name of the Web application URL, and append /_trust/ (for example: https://servername/_trust/). Click Next.

  11. Type an identifier, and click Add. Click Next.

  12. On the Summary page, click Next and then click Close. This opens the Rules Editor Management console. Use this console to configure the mapping of claims from an LDAP Web application to SharePoint.

  13. In the left pane, expand New Rule, and select Predefined Rule.

  14. Select Create Claims from LDAP Attribute Store.

  15. In the right pane, from the Attribute Store drop-down list, select Enterprise Active Directory User Account Store.

  16. Under LDAP Attribute, select sAMAccountName.

  17. Under Outgoing Claim Type, select E-Mail Address.

  18. In the left pane, click Save.